Salesforce Security

The aim of this article is to hopefully be of value to the Ohana community in providing Security hardening recommendations. As someone that has been in the ecosystem since 2020, combined with 9 years of IT Security experience this should prove my credentials in discussing this topic. A special thanks and credit also goes to the team members at WithSecure that assisted me in gathering the recommendations whom include Antti Tuomi , Dmitriy Viktorov and Pankaj Paryani . Salesforce has produced a product that has placed emphasis on Security. However, it is by no means perfect and contains its own flaws within this article I will be sharing recommendations in hardening your Salesforce environment.

Firstly let's describe what is Salesforce, people would say that its just a CRM system that sits on the cloud (Customer Relationship Management). Let's demystify this notion, it is more than just a CRM, it is a suite of multiple functionalities:

- Its a fully customizable cloud technology that enhances / streamlines business processes.

- A communication tool which enables users to collaborate together.

-Cloud software that helps to prospect / generate leads that can be converted to customers

- Its an automation tool that alleviates repetition.

- Support tool for customers where they can raise incidents concerning a product service pre and post sales.

RECOMMENDATIONS

The recommendations may look exhaustive, this should not discourage the use of Salesforce as its still strong with security some of the Security initiatives from Salesforce can be found here

• Cross object formulas - this should be avoided as much as possible as it can bypass sharing rules.
• View all / Modify all permissions – At your own risk, this also bypasses sharing rules.
• View all Data / Modify All Data permissions – Strongly discouraged to provide to end users as it implies full access.
• Salesforce Optimizer – run this on a regular basis especially important after a new Salesforce release. (or if you have an architect they can optimize your org.)
• Integrations – per integration it is recommended to have separate user accounts which helps for audit tracing.
• Security auditing – Salesforce provides a tool called View setup audit trail. Recommended to regularly monitor and track any changes that occurred by users. However, you are limited in viewing the last 6 months of activity.

• Security health check – I would suggest to run this on a daily basis to verify if there any security vulnerabilities.

• Email-to-case / web-to-case – susceptible to a man in the middle attack, ensure encryption is adopted during email transmissions.
• Enable MFA – great to see Salesforce applied this as compulsory as of February 2022. If hackers gains access to the password its adds an extra layer of Security. I use the analogy of going to the airport your passport is the equivalent of your password, the boarding pass is like your MFA.
• Antivirus – Within your org as files are uploaded are you certain where they are coming from? Invest in an antivirus tool in order to prevent malware from spreading in your org.
• System Administrator access – for end users this is an absolute big NO, this is providing the keys to the kingdom. System is open to compromise including data breaches, furthermore this would wreak havoc.
• Third party apps – Research the vendor, check the reviews ask yourself if its a trusted source. Avoid using apps that are external from Appexchange unless you do the research on its security.
• Connected Apps – As this is data coming external from Salesforce use of connected apps should be minimized.
• Passwords – length of password combined with mixture of upper, lowercase and special characters would hardened security access password monster would be a great tool to assess password strength. Furthermore its recommended to configure the expiry to 30 days.

• Interfaces – any internet facing features ensure accesses are tightened.
• Dataloader – its recommended to authenticate using OAuth as this is the most secure method, this consists of a combination of your password plus the appended security token. The latter be found by going to your personal settings and selecting reset security token, Salesforce will then email you the token.

• Data Backups – should be performed regularly and encrypted, using data compression tools such as winzip or 7-Zip you can encrypt with AES-256.
• SSO – used to logon using a single login to access applications in Salesforce where an identity check is performed. For hardened security it's recommended to combine with MFA.
• Profile access – determines what a user can do on the object level, provide minimum access as possible for their job function.

• Record access – Ensure that the minimum access to records that user don't own is granted via org wide defaults. With a granular approach open access to users using sharing rules / role hierarchy.

• Field access – Set history tracking on sensitive to critical data, there is a limit of 20 fields per object.

• Ip restrictions / logon hours – This can be specified at the org level as well as profile level. Recommended to additionally specify a range at profile level as anything outside this range prevents users from entering the system and avoids bad actors in attempting to gain access to your org.

• Data Masking – This Is strongly encouraged within your sandbox environment allowing you to replace sensitive data with unrelated data or special characters. Data is king by providing random fictitious data you prevent hackers from eavesdropping into company sensitive data.
• Encryption – recommend to implement Salesforce Shield within your org. Its reassuring to see that it adopts AES-256 encryption which is impossible to crack and would take a hacker many years to break which wouldn't be worth the time. If the NSA trusts and uses it, this speaks volumes more information about AES-256 can be found here

CONCLUSION

The security threat landscape is constantly evolving as hackers look for sophisticated and creative ways to exploit weaknesses. Also of strong importance is the human factor and the lack of awareness and training, at times its not the technology but the person's decision making behind the computer screen. Social engineering is on the rise, people are susceptible to the emotional persuasion of the person on the other end of the phone. Providing users more access than necessary opens the system to vulnerabilities and mistakes from the end user. Misconfigurations is also a suspect to security threats, ask yourself if a feature is really required and can it be disabled.